401 unauthorized error - MS EntraID IDP

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

version 3.0

cluster of 1, one manager, one warm. opensearch running on onprem k3s cluster

MS Entra id for idp

Describe the issue:

yesterday i started seeing 401 error which login in to opensearch dashboard, Everything worked great until i tried to create an internal user via the portal yesterday then the issue started. while trying to debug, i have modified by dashboard config, node configs etc and none of them helped.

STEPS

i launch the opensearch dashboard, i am able to login but i am not able to authenticate without logging in and this happens to everyone that tries to access via oidc. Basic authentication works perfect. I need help

Configuration:

apiVersion: v1

data:

  opensearch_dashboards.yml: |

      home:

        disableWelcomeScreen: true

      opensearch:

        hosts:

          - "https://opensearch-manager:9200"

          - "https://opensearch-warm:9200"

        password: admin

        username: admin

        requestHeadersAllowlist:

          - Authorization

        ssl:

          certificateAuthorities: "/usr/share/opensearch-dashboards/certs/root-ca.pem"

          verificationMode: full 

      opensearch_security:

        auth:

          multiple_auth_enabled: "true"

          type:

            - basicauth

            - openid

        cookie:

          ttl: 86400000

          password: "xxxxxxxxxxxxxxxxxxxxxxxx"

        multitenancy:

          enabled: true

        openid:

          base_redirect_url: "https://opensearch.ui"

          client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

          client_secret: "xxxxxxxxxxxxxxxxxxxxxxxx"

          connect_url: "https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0/.well-known/openid-configuration"

          refresh_tokens: true

          scope: openid email profile

          verify_hostnames: true

        session:

          keepalive: true

          ttl: 86400000

        ui:

          openid:

            login:

              buttonname: Log in with Microsoft EntraID

      server:

        host: 0.0.0.0

        name: opensearch-dashboards

        port: "5601"

kind: ConfigMap

metadata:

  name: opensearch-dashboards-config

  namespace: opensearch-main

cat << EOF | kubectl apply -f -
apiVersion: v1
data:
  opensearch_dashboards.yml: |
      home:
        disableWelcomeScreen: true
      opensearch:
        hosts:
          - "https://opensearch-manager:9200"
          - "https://opensearch-warm:9200"
        password: xxxxxxxxxxxx
        username: xxxxxxxxxxxx
        requestHeadersAllowlist:
          - Authorization
        ssl:
          certificateAuthorities: "/usr/share/opensearch-dashboards/certs/root-ca.pem"
          verificationMode: full 
      opensearch_security:
        auth:
          multiple_auth_enabled: "true"
          type:
            - basicauth
            - openid
        cookie:
          ttl: 86400000
          password: "xxxxxxxxxxxxxxxxxxxxxxxxx"
        multitenancy:
          enabled: true
        openid:
          base_redirect_url: "https://opensearch.app"
          client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
          client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
          connect_url: "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration"
          refresh_tokens: true
          scope: openid email profile
          verify_hostnames: true
        session:
          keepalive: true
          ttl: 86400000
        ui:
          openid:
            login:
              buttonname: Log in with Microsoft EntraID
      server:
        host: 0.0.0.0
        name: opensearch-dashboards
        port: "5601"
kind: ConfigMap
metadata:
  name: opensearch-dashboards-config
  namespace: opensearch-main
EOF




cluster is healthy

    sh /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh 
      -cd /usr/share/opensearch/config/opensearch-security \
      -icl \
      -nhnv \
      -key /usr/share/opensearch/config/certs/admin-key.pem \
      -cert /usr/share/opensearch/config/certs/admin.pem \
      -cacert /usr/share/opensearch/config/certs/root-ca.pem


Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=admin,OU=Azure 
OpenSearch Version: 3.0.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/config/opensearch-security/
Will update '/config' with /usr/share/opensearch/config/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /usr/share/opensearch/config/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /usr/share/opensearch/config/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /usr/share/opensearch/config/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /usr/share/opensearch/config/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /usr/share/opensearch/config/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /usr/share/opensearch/config/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/audit' with /usr/share/opensearch/config/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /usr/share/opensearch/config/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 9 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","actiongroups","config","internalusers"],"updated_config_size":9,"message":null} is 9 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","actiongroups","config","internalusers"]) due to: null
SUCC: Expected 9 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","actiongroups","config","internalusers"],"updated_config_size":9,"message":null} is 9 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","actiongroups","config","internalusers"]) due to: null
Done with success

Relevant Logs or Screenshots:

@nelson The description is not clear, can you please confirm the following:

1. You were running this already in the same version, using OIDC login.
2. You attemted to create a user using portal, what portal is this? OSD or from OIDC
3. The configuration you provided, is this the one that was working originally?
4. What do you mean by “i am able to login but i am not able to authenticate without logging in”. When do you see the 401? Is it after you login using OIDC (MS EntraID)

Hello Anthony

Thanks for jumping in

1. yes i was running same version and no issues at all
2. trying to login using opensearch ui,
3. no its not, but not far from it, i have tested countless configurations with no luck, i have changed configurations and gone back to the orginal config but still no luck. This current config is pretty standard and close to what i had originally
4. authentication process is successful, i can see on the entra side that the sign in was successful, but it gets rejected as 401 in opensearch
5. i still have the same app registered with all the app roles mapped correctly with backend roles in opensearch, and its been working just fine.

This is my common config

apiVersion: v1
data:
  config.yml: |
    _meta:
      type: config
      config_version: 2
    config:
      dynamic:
        on_behalf_of:
          enabled: true
          signing_key: xxxxxxxxxxxxxxx
          encryption_key: xxxxxxxxxxxxxxxx
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
            remoteIpHeader: x-forwarded-for
        do_not_fail_on_forbidden: true
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration
                openid_connect_idp:
                  enable_ssl: true
                  pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem
                  verify_hostnames: false
            authentication_backend:
              type: noop

i have also change “challenge” from false to true, and true to false, that didnt work, before i was using just openid authentication, i had to go back to using both basic auth and openid since openid isnt working thats why you have both in the config.

basic auth works fine

i have also been trying to inspect the token but that hasnt worked, i keep getting

{"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: xxxxxxxxxxxx Correlation ID: xxxxxxxxxxxxxxxxxxxxx Timestamp: 2025-10-09 10:34:01Z","error_codes":[54005],"timestamp":"2025-10-09 10:34:01Z","trace_id":"d1e7f3e3-981c-4600-8d74-004c213a3d00","correlation_id":"xxxxxxxxxxxxxxxxxxxxxxxx"}

Hello Anthony

Thanks for jumping in

1. yes i was running same version and no issues at all
2. trying to login using opensearch ui,
3. no its not, but not far from it, i have tested countless configurations with no luck, i have changed configurations and gone back to the orginal config but still no luck. This current config is pretty standard and close to what i had originally
4. authentication process is successful, i can see on the entra side that the sign in was successful, but it gets rejected as 401 in opensearch
5. i still have the same app registered with all the app roles mapped correctly with backend roles in opensearch, and its been working just fine.

This is my common config

apiVersion: v1
data:
  config.yml: |
    _meta:
      type: config
      config_version: 2
    config:
      dynamic:
        on_behalf_of:
          enabled: true
          signing_key: xxxxxxxxxxxxxxx
          encryption_key: xxxxxxxxxxxxxxxx
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
            remoteIpHeader: x-forwarded-for
        do_not_fail_on_forbidden: true
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration
                openid_connect_idp:
                  enable_ssl: true
                  pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem
                  verify_hostnames: false
            authentication_backend:
              type: noop

i have also change “challenge” from false to true, and true to false, that didnt work, before i was using just openid authentication, i had to go back to using both basic auth and openid since openid isnt working thats why you have both in the config.

basic auth works fine

i have also been trying to inspect the token but that hasnt worked, i keep getting

{"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: xxxxxxxxxxxx Correlation ID: xxxxxxxxxxxxxxxxxxxxx Timestamp: 2025-10-09 10:34:01Z","error_codes":[54005],"timestamp":"2025-10-09 10:34:01Z","trace_id":"d1e7f3e3-981c-4600-8d74-004c213a3d00","correlation_id":"xxxxxxxxxxxxxxxxxxxxxxxx"}

Hello Anthony

Thanks for jumping in

1. yes i was running same version and no issues at all

2. trying to login using opensearch ui,

3. no its not, but not far from it, i have tested countless configurations with no luck, i have changed configurations and gone back to the orginal config but still no luck. This current config is pretty standard and close to what i had originally

4. authentication process is successful, i can see on the entra side that the sign in was successful, but it gets rejected as 401 in opensearch

5. i still have the same app registered with all the app roles mapped correctly with backend roles in opensearch, and its been working just fine.

This is my common config

apiVersion: v1
data:
  config.yml: |
    _meta:
      type: config
      config_version: 2
    config:
      dynamic:
        on_behalf_of:
          enabled: true
          signing_key: xxxxxxxxxxxxxxx
          encryption_key: xxxxxxxxxxxxxxxx
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
            remoteIpHeader: x-forwarded-for
        do_not_fail_on_forbidden: true
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration
                openid_connect_idp:
                  enable_ssl: true
                  pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem
                  verify_hostnames: false
            authentication_backend:
              type: noop

i have also change “challenge” from false to true, and true to false, that didnt work, before i was using just openid authentication, i had to go back to using both basic auth and openid since openid isnt working thats why you have both in the config.

basic auth works fine

i have also been trying to inspect the token but that hasnt worked, i keep getting

{"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: xxxxxxxxxxxx Correlation ID: xxxxxxxxxxxxxxxxxxxxx Timestamp: 2025-10-09 10:34:01Z","error_codes":[54005],"timestamp":"2025-10-09 10:34:01Z","trace_id":"d1e7f3e3-981c-4600-8d74-004c213a3d00","correlation_id":"xxxxxxxxxxxxxxxxxxxxxxxx"}

What do you see in the OpenSearch or OpenSearch Dashboards logs around the time of failed login? First think that comes to mind is the redirect uri because I see that you have both https://opensearch.ui and https://opensearch.app listed

Hello cwperks

the opensearch.ui is correct, the other was probably a mistake. that is fine on my config.

This is the logs from dashboard when i try to login to opensearch, i get 401 after a successful login

{“type”:“response”,“@timestamp”:“2025-10-10T03:10:10Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:401,“req”:{“url”:“/favicon.ico”,“method”:“get”,“headers”:{“host”:“opensearch.ui”,“x-real-ip”:“10.162.0.4”,“x-forwarded-for”:“10.162.0.4”,“x-forwarded-host”:“opensearch.ui”,“x-forwarded-proto”:“https”,“connection”:“close”,“sec-ch-ua-platform”:““Windows””,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36”,“sec-ch-ua”:““Google Chrome”;v=“141”, “Not?A_Brand”;v=“8”, “Chromium”;v=“141””,“sec-ch-ua-mobile”:“?0”,“accept”:“image/avif,image/webp,image/apng,image/svg+xml,image/,/;q=0.8",“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“no-cors”,“sec-fetch-dest”:“image”,“referer”:“https://opensearch.ui/auth/openid/login?code=1.ASwA5Mxbz5yycEKr08SgqQBcRWA-WCMNFM5ErRPHXg8bfpssAAAsAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P8IpvPrjh_JEPNIbiKK8bTvbUqMeJkz_ScQdmAUpqMT6Yz3w8YXGoiaipKzRexdnQW1QrM-_bLGaaACgb_eW5hIPPBkP7V7vWXJ9UJMIE0F4ZsiMAT26aDGQ0kihXcWzd3Ss_OAchdIsCuKIyJbyc48IMUmNPTSUPooYpqQCE99RfJQULBxFuip-yXjyJd-_AKykma8RzqPG22__5Ew_LlMsrX_Qnb797B-uhufiYQzg4AOPzohBmnYYIxPvKBlNjfz1h2z0NLAbafNCiP13qWqUVSdVnZE2gxCz_0COMHMT-SaADQAOzGk7l40mTLeU59fPOUY5ESFWuKlDLJAAGH4IwFFKTVTpx0pcGScMzYbHFpa-rgylUqpQY7Dhbo4FTEBcMsACIS-P30t0Nyd6kkifcEO44NKPVgq1hT6wdjHJMNDHKHZeHUf-9rVvDfxMxQpAMn1r0PvA-8u2r2MpBOPUQ93xVJWGOd_ye4Ns9Vh5k-ntx0-TFeAZZRo-IBnQMUSKnnV1d6ATFnNmu46fFYfZiVXTzMNOkxkx4c4PSmJFANbF9xa6mY-lz2TH6ErEhPhwoZDKiaTgFd32eUFL-4ESidZJcFy2lat-bsdTOr6hU6hqun5GbEq9zLlUBnmxlG83Ow2W6KKrZ4AYCJ3s6ryRKtKsihhunmNPYT8AlfwV75ZKhN6pE6oLb_fo2jbl4Ye3wDfGedEk1ONdyg4dpy6l2IntvEHD2yxsmJI2L8CpCm_vj--0G8Nr88QS91rveCHfZ2WPhKZNVH5X4EK2Q&state=CbXlREx8P_UdLQrZZ1bdHu&session_state=009a2509-ca57-ab7d-d472-c8685fb73801",“accept-encoding”:"gzip, deflate, br, zstd”,“accept-language”:“en-US,en;q=0.9”},“remoteAddress”:“10.42.2.206”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36”,“referer”:“https://opensearch.ui/auth/openid/login?code=1.ASwA5Mxbz5yycEKr08SgqQBcRWA-WCMNFM5ErRPHXg8bfpssAAAsAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P8IpvPrjh_JEPNIbiKK8bTvbUqMeJkz_ScQdmAUpqMT6Yz3w8YXGoiaipKzRexdnQW1QrM-_bLGaaACgb_eW5hIPPBkP7V7vWXJ9UJMIE0F4ZsiMAT26aDGQ0kihXcWzd3Ss_OAchdIsCuKIyJbyc48IMUmNPTSUPooYpqQCE99RfJQULBxFuip-yXjyJd-_AKykma8RzqPG22__5Ew_LlMsrX_Qnb797B-uhufiYQzg4AOPzohBmnYYIxPvKBlNjfz1h2z0NLAbafNCiP13qWqUVSdVnZE2gxCz_0COMHMT-SaADQAOzGk7l40mTLeU59fPOUY5ESFWwuKlDLJAAGdeH4IwFFKTVTpx0pcGScMzYbHFpa-rgylUqpQY7Dhbo4FTEBcMsACIS-P30t0Nyd6kkifcEO44NKPVgq1hT6wdjHJMNDHKHZeHUf-9rVvDfxMxQpAMn1r0PvA-8u2r2MpBOPUQ93xVJWGOd_ye4Ns9Vh5k-ntx0-TFeAZZRo-IBnQMUSKnnV1d6ATFnNmu46fFYfZiVXTzMNOkxkx4c4cvPSmJFANbF9xa6mY-lz2TH6ErEhPhwoZDKiaTgFd32eUFL-4ESidZJcFy2lat-bsdTOr6hU6hqun5GbEq9zLlUBnmxlG83Ow2W6KKrZ4AYCJ3s6ryRKtKsihhunmNPYT8AlfwV75ZKhN6pE6oLb_fo2jbl4Ye3wDfGedEk1ONdyg4dpy6l2IntvEHD2yxsmJI2L8CpCm_vj--0G8Nr88QS91rveCHfZ2WPhKZNVH5X4EK2Q&state=CbXlREx8P_UdLQrZZ1bdHu&session_state=009a2509-ca57-ab7d-d472-c8685fb73801"},“res”:{“statusCode”:401,“responseTime”:3,“contentLength”:9},“message”:"GET /favicon.ico 401 3ms - 9.0B”}{“type”:“response”,“@timestamp”:“2025-10-10T03:10:13Z”,“tags”: ```,“pid”:1,“method”:“get”,“statusCode”:302,“req”:{“url”:“/auth/openid/login?code=1.ASwA5Mxbz5yycEKr08SgqQBcRWA-WCMNFM5ErRPHXg8bfpssAAAsAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P8IpvPrjh_JEPNIbiKK8bTvbUqMeJkz_ScQdmAUpqMT6Yz3w8YXGoiaipKzRexdnQW1QrM-_bLGaaACgb_eW5hIPPBkP7V7vWXJ9UJMIE0F4ZsiMAT26aDGQ0kihXcWzd3Ss_OAchdIsCuKIyJbyc48IMUmNPTSUPooYpqQCE99RfJQULBxFuip-yXjyJd-_AKykma8RzqPG22__5Ew_LlMsrX_Qnb797B-uhufiYQzg4AOPzohBmnYYIxPvKBlNjfz1h2z0NLAbafNCiP13qWqUVSdVnZE2gxCz_0COMHMT-SaADQAOzGk7l40mTLeU59fPOUY5ESFWuKlDLJAAGH4IwFFKTVTpx0pcGScMzYbHFpa-rgylUqpQY7Dhbo4FTEBcMsACIS-P30t0Nyd6kkifcEO44NKPVgq1hT6wdjHJMNDHKHZeHUf-9rVvDfxMxQpAMn1r0PvA-8u2r2MpBOPUQ93xVJWGOd_ye4Ns9Vh5k-ntx0-TFeAZZRo-IBnQMUSKnnV1d6ATFnNmu46fFYfZiVXTzMNOkxkx4c4PSmJFANbF9xa6mY-lz2TH6ErEhPhwoZDKiaTgFd32eUFL-4ESidZJcFy2lat-bsdTOr6hU6hqun5GbEq9zLlUBnmxlG83Ow2W6KKrZ4AYCJ3s6ryRKtKsihhunmNPYT8AlfwV75ZKhN6pE6oLb_fo2jbl4Ye3wDfGedEk1ONdyg4dpy6l2IntvEHD2yxsmJI2L8CpCm_vj–0G8Nr88QS91rveCHfZ2WPhKZNVH5X4EK2Q&state=CbXlREx8P_UdLQrZZ1bdHu&session_state=009a2509-ca57-ab7xsddd-d472-c8685fb73801”,“method”:“get”,“headers”:{“host”:“opensearch.ui”,“x-real-ip”:“10.162.0.4”,“x-forwarded-for”:“10.162.0.4”,“x-forwarded-host”:“opensearch.ui”,“x-forwarded-proto”:“https”,“connection”:“close”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8”,“accept-language”:“en-us,en;q=0.5”,“sec-fetch-mode”:“navigate”,“accept-encoding”:“identity”},“remoteAddress”:“10.42.2.206”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36”},“res”:{“statusCode”:302,“responseTime”:3,“contentLength”:9},“message”:“GET /auth/openid/login?code=1.ASwA5Mxbz5yycEKr08SgqQBcRWA-WCMNFM5ErRPHXg8bfpssAAAsAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P8IpvPrjh_JEPNIbiKK8bTvbUqMeJkz_ScQdmAUpqMT6Yz3w8YXGoiaipKzRexdnQW1QrM-_bLGaaACgb_eW5hIPPBkP7V7vWXJ9UJMIE0F4ZsiMAT26aDGQ0kihXcWzd3Ss_OAchdIsCuKIyJbyc48IMUmNPTSUPooYpqQCE99RfJQULBxFuip-yXjyJd-_AKykma8RzqPG22__5Ew_LlMsrX_Qnb797B-uhufiYQzg4AOPzohBmnYYIxPvKBlNjfz1h2z0NLAbafNCiP13qWqUVSdVnZE2gxCz_0COMHMT-SaADQAOzGk7l40mTLeU59fPOUY5ESFWuKlDLJAAGH4IwFFKTVTpx0pcGScMzYbHFpa-rgylUqpQY7Dhbo4FTEBcMsACIS-P30t0Nyd6kkifcEO44NKPVgq1hT6wdjHJMNDHKHZeHUf-9rVvDfxMxQpAMn1r0PvA-8u2r2MpBOPUQ93xVJWGOd_ye4Ns9Vh5k-ntx0-TFeAZZRo-IBnQMUSKnnV1d6ATFnNmu46fFYfZiVXTzMNOkxkx4c4PSmJFANbF9xa6mY-lz2TH6ErEhPhwoZDKiaTgFd32eUFL-4ESidZJcFy2lat-bsdTOr6hU6hqun5GbEq9zLlUBnmxlG83Ow2W6KKrZ4AYCJ3s6ryRKtKsihhunmNPYT8AlfwV75ZKhN6pE6oLb_fo2jbl4Ye3wDfGedEk1ONdyg4dpy6l2IntvEHD2yxsmJI2L8CpCm_vj–0G8Nr88QS91rveCHfZ2WPhKZNVH5X4EK2Q&state=CbXlREx8P_UdLQrZZ1bdHu&session_state=009a2509-ca57-ab7d-d472-c8685fb73801 302 3ms - 9.0B”}{“type”:“response”,“@timestamp”:“2025-10-10T03:10:13Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:302,“req”:{“url”:“/auth/openid/login”,“method”:“get”,“headers”:{“host”:“opensearch.ui”,“x-real-ip”:“10.162.0.4”,“x-forwarded-for”:“10.162.0.4”,“x-forwarded-host”:“opensearch.ui”,“x-forwarded-proto”:“https”,“connection”:“close”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/136.0.0.0 Safari/537.36”,“accept”:"text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8”,“accept-language”:“en-us,en;q=0.5”,“sec-fetch-mode”:“navigate”,“accept-encoding”:“identity”},“remoteAddress”:“10.42.2.206”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36”},“res”:{“statusCode”:302,“responseTime”:3,“contentLength”:9},“message”:“GET /auth/openid/login 302 3ms - 9.0B”}

i attempted to get the token, but this is always the output, my guess is this is properly what openseach is seeing when i get authenticated and then it throws a 401

postman-output1541×923 107 KB

If this was working before and the OS configuration hasn’t been changed, this would indicate that MS EntraID was changed. Perhaps expired secret? In the above screenshot it does complain about missing or expired client secret, have you provided the secret in the request?